You can protect your admin folders from online user at the server level. Apache allows you at add additional security (UN and PW) to the “Back Office” folder even though your website is protected with a username and PW. Yes you will need two sets of credentials, but you can never be to secure. You will need local host access or FTP access and command line to access to the remote server.
First, Setup this folder on your workstation as .htaccess.txt Add the following information. Then FTP this file to your folder you want protected.
AuthType Basic AuthName "Password Required" AuthUserFile /yourDirPath/HTdoc/website/admin/.htpasswd require valid-user
Once its on your server you will need to change its name to .htaccess (remove the .txt and keep the period in front of the filename) and change the permissions CHMOD to 644.
Second use you command line and navigate to the folder you want protected.
From here, you will create the username and password file. Type in the commands below:
htpasswd -c .htpasswd username New Passwor: Retype new Password:
The above code uses the -c switch to create the .htpasswd file. The below code is for any addition people you want to give access to.
htpasswd .htpasswd username New Passwor: Retype new Password:
To remove a person from the system type the command below:
htpasswd -d .htpasswd username:
Notice the -d is the switch that will remove this user
Restart Apache service use the command below
sudo /etc/init.d/apache2 restart